FreeWDE – FreeBSD with Whole Disk Encryption

FreeWDE is a “minimal install” FreeBSD image that you can write to a USB stick or SD-card. When booted from, FreeWDE will ask some questions and then create an AES-256 encrypted partition on the same device. It will then copy the operating system there. You call tell FreeWDE to additionally install an unencrypted FAT32 (Windows) partition which will make a USB stick or SD-card seem like a normal storage device to Windows or Mac machines. It can hold your camera’s pictures or be used for files that you want to move in and out of an offline encrypted system. You can set sizes for all these partitions as well as for the encrypted swap. You can also opt to mount /tmp and /var/log as tmpfs ramdisks.

Or, in normal language, you boot from a stick or any other device and get a basic unix operating system that is fully encrypted and not any slower than it needs to be. Of course, you’ll still want to use the fastest media you can get hold of, and a bit of processor speed for the crypto doesn’t hurt either. It runs fine on my eeePC 1005PE.

This just installs a basic FreeBSD unix system. It does not include X-Windows, web-browsers, mail clients or whatever else you’d like. You can of course install all that after the encryption is set up. Or compile your own image with everything you need already packaged in it.

Please have a play if you are so inclined, and use the comments to tell me what you think.

Download

Installation

You need to copy this unzippped image file to a disk device, generally a USB stick, an SD-card or a removable drive. It doesn’t help to simply copy the file, you need to ‘low level write’ the contents of the file to the disk.

IF YOU CONTINUE, YOU WILL BE WRITING DATA DIRECTLY TO A DISK DEVICE. PLEASE NOTE THAT THIS MAY, IN SOME CASES WITHOUT ANY WARNINGS, OVERWRITE THE DISK DEVICE YOU CHOOSE. SO PLEASE TAKE EXTREME CARE TO PICK THE DISK YOU ACTUALLY WANT TO INSTALL THIS ON, NOT THE HARD DISK WITH ALL YOUR WORK ON IT. REGULAR BACKUPS ARE ALWAYS A GOOD IDEA, AND RIGHT NOW IS A BETTER THAN AVERAGE TIME TO MAKE ONE.

On Mac/OSX, Linux, FreeBSD or other unix machine this is done with ‘dd’ from the command prompt as follows:sudo dd if=<image file> of=<disk device> bs=1M
where <image file> is the file you just downloaded and <disk device> is the unix filename for the disk device. On a Mac, DO NOT USE /dev/disk0 (zero) as it is usually the system boot disk. You will be VERY sad if you write my file to it in this way.

On a machine running some version of Microsoft Windows, download a program called physdiskwrite and use it to write the image to the disk you’d like to run this from.

If you then shut down and boot from the stick, disk or card you just installed this on, you should, after the normal FreeBSD boot sequence, be presented with a dialog as follows. My answers in this example installation (to an 8 GB Sandisk Extreme 30 MB/s SD-card) are in bold.

Welcome to FreeWDE, the FreeBSD with Whole Disk Encryption installer

This script will help you create a bootable disk with multiple “slices”. One will be unencrypted and will hold the files needed to boot. In fact, we will reuse the part that you just booted from and just keep it as it is.

Then there’s the encrypted slice that this is all about. It is encrypted with AES-256 and holds either one or two partitions. There’s at least the root filesystem, and if you so choose there is also a swap area. And to make for a faster system on slow disks (such as many USB sticks), /tmp and /var/log can be put on tmpfs (which means they usually stay in RAM).

You can choose to install another ‘unencrypted’ slice. In there, we’ll put a regular Windows FAT32 filesystem. This means you can use the device as a regular USB disk or SD-card. To stick in your camera and take pictures on, for example.

Are you sure you want to do this? (yes/no) yes

Enter size of UNENCRYPTED slice. This size can be entered in megabytes or gigabytes. It needs to be entered as a number followed by M or G. So ‘1G’ for a 1 gigabyte unencrypted slice. Enter “0” or “none” if you do not want an unencrypted slice.

Size of unencrypted slice? 1G

Enter the size of the encrypted slice: a number immediately followed by M or G. This size includes root file system and swap. If you enter “all”, we will use the remainder of the device.

Size of encrypted slice? all

How big is the swap partition on the encrypted slice, again as a number immediately followed by the capital letter M or G. If you enter “0” you will not have swap, so the entire encrypted slice is used for files.

Size of swap space? 2G

You can choose to wipe the disk, putting zeroes in the unencrypted slice and random data in the encrypted one. This makes sure there is no previous data that can be read, but it can take a long time depending on size and speed of the disk. So if you just bought it, you might as well enter no here.

Wipe disk? (yes/no) no

Would you like /tmp on a tmpfs (in ram) ? (yes/no) yes

We can do the same for /var/log. This does mean you’ll have to edit /etc/fstab before you can debug why something crashes.

Would you like /var/log on a tmpfs? (yes/no) yes

writing partition table

The partition table needs to be re-read, for which we need to reboot. Press enter to reboot. Installation will continue after we return.

Now the system reboots. Make sure it boots from the same disk again. You’ll see FreeBSD boot again. When that is done, the screen will clear and you’ll see:

After rebooting, you’ll find a virgin FreeBSD system, simply log in with ‘root’, no password. The system is the typical FreeBSD 8.0-RELEASE minimal install with a GENERIC kernel. The only difference is that the root filesystem is mounted off the secure part of the device you installed from and that swap and tmpfs have all been set up as specified during installation:

The big cosmetic issue

If you boot into the encrypted system, it might seem as if the system hangs. Then if you read back a few lines, you’ll notice that the system is asking for your passphrase but that other parts of the boot process have put text after or on top of the prompt. You can just ignore all that and type your passphrase anyway. It is annoying and ugly, but there is not much I can do about it without going far deeper than I want to right now.

Tips

You’ll generally want to do:

echo 'powerd_enable="YES"' >> /etc/rc.conf
powerd

if you are running on a notebook or netbook, as this makes sure the system lowers the processor clock frequency if the system is idle, making the battery last much longer.

How to make your own

There are plenty of reasons to want to build your own system like this. You might be rolling out many of these, and maybe want to include your own software in the image. Or maybe you’d like to make sure that I haven’t installed something that logs your passphrase. (I could have, you know…)

The good news is that it is very easy to repeat what I did. All you need is this shell script and a fresh installation of FreeBSD in a slice that is so small that it just fits the files. You will also and another installation of FreeBSD to work from (which can also be on a USB stick). Start this working copy of FreeBSD and run FreeWDE-v0.1-DIY-install <disk>

The <disk> is the device name (without /dev/) of the disk where the fresh copy is. Make sure it’s not mounted, the script does all that. The script will notice that there is no file ‘clean’ in the current directory. It will then use dd to copy the s1 slice on the indicated device to ‘clean’, make some changes to the image to set it up for FreeWDE, install the installation script (which is contained in the DIY script) and copy the resulting image to the file ‘image’. If you make changes to the install script, you will not need a fresh copy of FreeBSD to test it, as the install script will simply use the copy in the file ‘clean’ from now on.

4 thoughts on “FreeWDE – FreeBSD with Whole Disk Encryption”

I am beginning to notice that this runs fine on some machine and not on others. I am using GEOM disk labels to set which disk to mount as root and am beginning to notice that it depends on the BIOS whether this works or not. Means I have to go the other route and use a RAMdisk. So if it doesn’t work for you, you’ll have to wait until I have a few days. Sorry…

I tried to use the script with FreeBSD 8.1, put a fresh copy on ad0 and a minimal copy to ad1. Booted from ad0, dled your script, executed it with ad1 as parameter –> copying works finde but after that i get a lot of directory errors and no image is produced.

I am a 16-year old scriptkiddie from Holland (relative to Tim Bleeker, maybe you know him from something. He is, as far as I know, also ‘very good with computers and computersecurity’), trying to learn as much as possible!
Recently I dicided to get to know FreeBSD (or OpenBSD, even better), and possibly, in the future, switch from BackTrack to FreeBSD. I really value my privacy, so I like to always have full-disk encryption (tried things like http://forums.freebsd.org/showthread.php?t=12503, without luck: can’t get those working either). I found your script and really liked it! It runs very smooth on my laptop! Unfortunately I can’t seem to get it running on my desktop. Lucky for me, you already sort out the problem: My BIOS. That’s where I get stuck, it isn’t going to work for me, as I already updated my BIOS to the newest version and it is still not working. I was hoping you would have, like you said on 14th June 2010, a new script, free from GEOM disk labels, which will work for me! Could you maybe post that like you did with the current one? If you don’t have it, can you maybe help me with this Howto: http://forums.freebsd.org/showthread.php?t=12503 ?
I can walk through the whole Howto without errors, it goes wrong when I reboot. After I type in my password, I have to specify where to mount root from. That isn’t going well either (can it have something to do with the GEOM disk labels like it does with your script?)..
I hope you can help me, as I really value my privacy, like you do.

I also hope I can be as good as you are one day.

Greetings
Dex Bleeker

Ps, I ‘mailed’ you in English, so that when people from all over the world can read this, and maybe learn something from it or learn me something.